Broadband communications access, on which our society and economy is growing increasingly dependent, is not readily available to users on board mobile platforms such as aircraft, ships, and trains. While the technology exists to deliver the broadband communications services to mobile platforms, conventional solutions are commercially unfeasible due to the high costs for service or due to low data rates. The conventional solutions have typically only been available to government/military users and/or to high-end maritime markets such as cruise ships.
Passengers of aircraft are often business users who require access to their corporate network. To attract business users, the broadband communication services must provide acceptable data rates at a reasonable price and allow access to virtual private networks (VPNs). There are two basic modes of operation of VPNs. In a first mode, the VPN provides secure remote access from the client to corporate gateway across the Internet. In a second mode, the VPN provides secure gateway to gateway connections across the Internet. The first mode of operation applies when a passenger's laptop runs VPN client software and communicates with the passenger's corporate VPN gateway.
There are many different security protocols that are currently being used on the Internet. Layer 2 Forwarding (L2F) is a security protocol created by Cisco Systems. Point-to-Point Tunneling Protocol (PPTP), created by the PPTP industry forum, is currently the most widely used VPN protocol. There are several security weaknesses that make PPTP undesirable for future use. Layer 2 Tunneling Protocol (L2TP) evolved through the IETF standards process and is a security protocol that is a combination of PPTP and L2F. Internet protocol security (IPSec) is an architecture and related Internet key exchange (IKE) protocol that is described by IETF RFCs 2401–2409, which are hereby incorporated by reference. IPSec provides robust security and is a preferred protocol for future use.
IPSec provides integrity protection, authentication, privacy and replay protection services for IP level traffic. IPSec packets are of two types. A first type, IP protocol 50 (Encapsulated Security Payload (ESP)), provides privacy, authenticity and integrity. A second type, IP protocol 51 (Authentication Header (AH) format), provides integrity and authenticity for packets but not privacy.
IPSec can be used in two modes. A transport mode secures an existing IP packet from source to destination. A tunneling mode puts an existing IP packet inside a new IP packet that is sent to a tunnel end point in the IPSec format. Both transport and tunnel modes can be encapsulated in ESP or AH headers.
Internet web sites are identified by a public address. Routers and switches use the public address to route IP packets. Public addresses are considered a scarce resource. Requests for public address space from American Registry for Internet Numbers (ARIN) are scrutinized for efficient usage. Permanently assigning even a small number of public addresses to each mobile platform requires a large number of public addresses. When the mobile platform is not in use, the address(es) allocated to the mobile platform are not used. If a significant percentage of mobile platforms are not in use at a given time, ARIN will conclude that the public addresses are inefficiently used and deny the request.
To efficiently use IP addresses, some broadband communications systems employ Network Address Translation (NAT). NAT allows many hosts to share a single IP address by multiplexing streams based on transmission control protocol/user datagram protocol (TCP/UDP) port numbers as well as IP addresses. NAT was developed as an interim solution to combat IP address depletion. NAT maps IP addresses from one address domain to another, most often by mapping private IP addresses to public IP addresses. In a static NAT, a one-to-one mapping is defined between public and private IP addresses. In a dynamic NAT, a pool of public IP addresses is shared by an entire private IP subnet.
For example, private hosts 192.168.0.1 and 192.168.0.2 both send packets from source port 2000. A NAT device translates these to a single public IP address 207.29.194.28 with two different source ports, for example 2998 and 2999. Response traffic that is received for port 2998 is readdressed and routed to 192.168.0.1. Response traffic that is received for port 2999 is readdressed and routed to 192.168.0.2. As can be appreciated, the NAT gateway is directional.
When IPSec systems employ AH, the entire IP packet including invariant header fields (like source and destination address) is run through a message digest algorithm to produce a keyed hash. The recipient uses the keyed hash to authenticate the IP packet. If any field in the original IP packet is modified, authentication will fail and the recipient will discard the IP packet. AH is intended to prevent unauthorized modification, source spoofing, and man-in-the-middle attacks. NAT, however, by definition modifies IP packets. NAT modifies the packet header by replacing the packet's source address. As a result, systems employing NAT cannot employ IPSec if the remote system is configured to employ AH or gateway.
Therefore, a broadband communications system for mobile platforms that allows users to access VPNs, that conserves IP address space, that provides sufficiently high data rates and/or that conforms with the IPSec protocol would be desirable.